I have installed certbot tru snap on ubuntu 22 host, and everything works as expected. Thanks for making this happen.
Does it automatically renew with a default install? Or do I have to make any changes? I have googled for it, but there are many answers for many versions.
systemctl list-timers return:
Mon 2023-05-01 23:09:00 UTC 3h 25min left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
and under /etc/systemd/system there are snap.certbot.renew.service and snap.certbot.renew.timer
I also checked the crontab and related folders and found no reference to the renew command.
The contents of snap.certbot.renew.service are:
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=snap-certbot-2913.mount
Wants=network.target
After=snap-certbot-2913.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/2913
TimeoutStopSec=30
Type=oneshot
--
So I think it will autorenew, but we dont have a post hook to restart apache2.
The install setups up a timer as you see which runs certbot renew
And, that reviews and renews any certs based on their renewal config file. So, as long as you used a method that allows auto-renew it should be fine. Really, the only method that can't auto-renew is --manual without the special hooks. Or, if after you get the cert you change your system config like blocking port 80 even when using the HTTP Challenge.
You can test renewals with
sudo certbot renew --dry-run
The --dry-run will not disrupt any active certs.
If you want, show us the contents of the conf file in /etc/letsencrpyt/renewal too
Is this your first run of certbot? I don't see your domain in the thread, so I cant tell if you have a history of certificates yet...
I am not an expert on the systemd timers (yet) But I am betting on the fact that your system hasn't had time to renew yet, so the timer output is not yet complete, or fully populated.
Guessing is not good.
My 2 cents.
I used "certbot certonly --apache" and then I manually changed apache configuration to use ../live/* files.
My certificates are brand new, so they are not expired yet. I just don't want to go tru certifiate hell when the time comes, so I was checking to see it will renew. I also tried certbot renew --dry-run and it runs without problems.
With the current configuration, it seems it will renew automatically, it seems snap.certbot.renew.timer checks when it is the right time, and then triggers snap.certbot.renew.service, but I found no mechanism inside snap.certbot.renew.serrvice to reload apache.
Notice that I used certonly to generate the certificates. I did run the reconfigure command as below, and got the following result:
You are attempting to set a --deploy-hook. Would you like Certbot to run deploy
hooks when it performs a dry run with the new settings? This will run all
relevant deploy hooks, including directory hooks, unless --no-directory-hooks is
set. This will use the current active certificate, and not the temporary test
certificate acquired during the dry run.
(R)un deploy hooks/(D)o not run deploy hooks: R
Simulating renewal of an existing certificate for mydomain.org and 9 more domains
Successfully updated configuration.
Changes will apply when the certificate renews.
--
In /etc/letsencrypt/renewal/mydomain.org.conf there is a line: renew_hook = systemctl reload apache2
I think this should do it, but is there a sure way to test if it works?